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Privacy*  Technology, 
and  the  American  Citizen  * 


1  IfilEoaUiiHOii 

The  right  to  privacy  has  been  an  issue  b£ 
considerable  proirinence  in  recent  months  as  the  congress  and 
the  American  public  have  inc^reasingly  questioned  the  extent 
and  nature  of  the  constitutional  and  moral  ramifications  of 
privacy,  This  article  presents  an  examination  of  privacy 
with  particular  emphasis  on  the  imolications  of 
technological  advancement.  A  framevor^  is  deveiooed  within 
Which  managerial  decisions  related  to  questions  of  privacy 
can  be  examined. 

An  initial  investigation  of  the  definition  of 
privacy  is  presented  which  distinguishes  between  the 
individual's  need  for  privacy  and  the  society's  requirements 
for  infringing  upon  that  need.  Next,  the  technblbcical 
determinants  of  privacy  are  examines,  including  the 
utilization  of  advanced  electronic  equipment  (esoeciallv  the 
computer)  to  collect  information.  The  unique  orooerties 
and  problems  inherent  in  multiple^access  time-sharino 
systems  are  considered,' 

All  of  these  issues  are  integrated  into  a 
framevorlt  for  the  analysis  of  specific  databanks.  This 
fraPievork  may  be  applied  to  databanks  currently  in  existence 
and  to  those  which  may  be  proposed  at  some  future  time.   The 
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guideiines   presented   are  intended  as  an  aid  in  determining 
the  suitability  of  such  databanks. 

Finally,  a  number  of   proposed   solutions  to   the 
problems  of  privacy  are  examined,  followed  by  suoaestions 
for  further  thouaht, 
2  £EIIA£i:  iii£  £R2Bii;ii 

Privacy  cohcerns  everyone.  Although  most 
Americans  would  aSree  that  no  'one  should  take  a  challenoe  to 
his  privacy  lightly,  few  carefully  consider  the  iiriDlications 
of  applying  for  a  credit  card  or  a  bank  loan.  Any  tinie  a 
transfer  of  information  occurs,  privacy  is  in  some  way 
aff«cted,  whether  it  be  our  personal  privacy,  that  of  our 
friends  or  neighbors,  or  the  privacy  of  an  organization, 
concorrently  with  our  individual  considerations  of  privacv, 
ve  must  act  as  a  natioh  to  forge  a  clear  national  oolicy". 

Privacy  is  not  easily  defined.  In  fact,  there  Is 
no  widely  accepted  definition  in  use  today,  although  at 
least  one  excellent  definition  (in  the  iboical  sense)  has 
been  presented.  In  legal  terminology,  a  satisfactory 
definition  remains  to  be  established.  (See  also  (2)) 
2,1  fififinitica  af  Piiiaci 

The  most  important  dimensions  of  orivacy  can  be 
seen  through  an  examination  of  statements  made  by  various 
individuals  who  have  Vrestled  with  the  problem.  Arthur 
Goldberg,  former  Associate  Justice  bf  the  United  States 
Supreme  Court  has  put  forth  the  following  observation: 
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"The  dvindling  of  Privacy  has  been  as 
vorld,  ve  have  only  belatedly  realized  that  privacy  Is 
mLf'^Ko''!?^}?^^!,  ^''^^''^  ^°^^^^  resource,  and  one  vhich 
eflLJent  I-if"^^'  protected  against  the  claims  of 
efficient  social  orderino." 
(16) 

Congressman   Cornelius  Gallaoher.  speaking  before 
the  American  Management  Association,  has  defined  Privacy  as: 

''•••*'^®  free  choice  by  a  free  man  Tn 
disclosing  to  public  recard  certain  basic  ^acts  aboj? 
nis  actions,  thoughts,  and  decisions, "{ l2) 

He  goes  on  to  say: 

free  Am^rir^^^^^^  ^"^!5  lav...the  cornerstone  of  a 
free  America. ..demands  that  the  past  be  a  sorinQboard 
*nrhor^  J^v  ffP^^ssion  and  use  bf  abiUtv  and  not  an 
vouthf,n  i^\''v^^^  *  "''^'^  *^°^"'  ^"^  ^"""s  him  In 
(S%'rfj^o"tll:(10.)?Mi?:in?r^'  ^^^^^  decisions.-(l2i 

These  attempts  at  definitions  are,  hovever, 
incomplete.  The  mbst  comprehensive  definition  of  orivacv  is 
offered  by  Professor  Alan  F.  Westin  (See  also  (20).(21))J 
it  highlights  the  privacy  decision  as  the  choice  of  the 
individual  in  trading  off  his  desire  to  be  an  IndLxldual. 
and  his  desire  tb  participate  in  society: 


sSeiiiLr°^  .s"^!^""  "'^^  ^'^^"^  ^'^^  processes  «. 
fnfo^^i  r^  ^^^^  ^^^'^y  society  sets  in  order  to 
enforce  its  social  norms. "(19) 

2.2  Zhs.  IiidiiiiiiiaijLfi  iifivfiflini 
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Several  facets  of  privacy  are  important  from  the 
individual's  viewpoint.  In  his  book,  £rivacx  and  Eceedoia 
(19)#  Professor  v;estin  has  identified  four  primary  functions 
which  privacy  perforins. 

A,  Individuals  intrinsicly  seeX  personal 
autonomy.  Privacy  provides  the  capability  for  individuals 
to  control  the  flow  of  information  that  relates  to  their 
personal  lives,  and#  by  so  doi^ig,  provides  a  means  for  then 
to  direct  some  aspects  of  their  existence".  Indeed,  the 
history  of  literature  is  marked  by  references  to  cbntrbllina 
one's  fate.  In  an  ever  more  complex  and  active  societv. 
this  function  of  privacy  assumes  an  ever  increasing 
Importance. 

B,  Privacy  protects  people  from  undue 
consequences  resulting  from  the  expression  of  anoer  and 
frustration.  Through  this  function,  then,  individuals  are 
afforded  the  opportunity  for  emotional  release  without  the 
continuous  damper  that  a  record  bf  their  actions  wbuid 
cause.  Of  course,  when  the  actions  of  emotional  release 
infringe  upon  the  rights  of  others,  response  by  the  sbciety 
is  Justified, 

C,  Privacy  provides  for  self  evaluation  and 
introspection.  Individuals  must  be  allowed  to  evaluate 
their  own  performance  for  the  purpose  of  determining  their 
desires  and  actibns.  Privacy  allows  this  self-supervisibn 
vithou.t  the  constant  feeling  that  someone  is  iboicino  over 
your   shoulder.   Again,  this  function  is  not  absolute  -^  the 
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evaluation  of  an  employee  by  his  supervisor,  for  example,  is 
legitimate. 

D,  Privacy  allows  for  the  protected  and 
privileged  transfer  of  information,  within  this  context,  an 
individual  is  granted  the  opportunity  to  discuss  a 
supervisor  with  anbther  employee  without  fear  of  dismissal'. 

But  the  need  for  privacy  gbes  even  bevond  sUch 
logical  considerations.  The  work  of  manv  anthropologists, 
sociologists,  and  biologists  indicates  strbnalv  that  privacy 
is  a  iifllijaicai  necessity  for  human  beings.  Professor 
9estin  has  discussed  , studies  of  animal  behavior  which  show 
that  men  and  animals  may  very  well  share  basic  mechanisms 
for  seeking  privacy  within  their  environments.  f19) 
Extrapolating  from  the  great  importance  ascribed  to  privacy 
in  the  animal  world,  ohe  must  assume  that  Privacy  is  an  even 
more  significant  determinant  of  behavior  in  the  human 
species,  Perhaps  the  inherent  desire  in  each  bf  us  to 
occasionally  seek  solitude  is  an  illustratibn  of  this  need'. 
2,3  £fin£ii£ls  £i  Izii&Qi 

However,  consideration  of  the  Privacy  prbblem  on 
an  individual  by  individual  basis  is  not  sufficien;  such 
consideration  ignores  the  problems  created  by  conflicts  bf 
privacy,  Host,  if  not  all,  of  the  data  with  which  we  are 
concerned  is  the  joiht  property  of  at  least  twb  parties  -- 
the  person  who  originated  the  information,  and  the  persbn 
fthom  the  data  concerhs.  In  many  cases,  the  Privacy  riahts 
of  these  two  parties  conflict,   consider  the  case  bf  medlcil 
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records,  Included  ih  these  records  are  many  Impressions 
that  the  doctor  might  note  to  aid  himself  in  his  future  work 
With  the  patient.  For  example,  it  might  be  very  impbrtant 
to  record  that  a  patient  shbved  indications  of 
schizophrenia.  The  physician  would  not  want  the  patient  to 
be  aware  that  this  opinion  was  recbrded  in  the  medical 
record.  Thus,  tb  release  the  medical  recbrd  fbr  eiaminatibn 
by  the  patient  vbuld  conflict  with  the  physician's  right  to 
professional  privacy. 

The   formulation  of  a  legal  definitibn  of  privacv. 
either  by  statute  or  precedent,  is  as  difficult  a  oroblem  as 
the   development   of   a   semantic   definition.     Within  the 
context  of  our  democratic  institutions,  certain   rights   are 
specifically   guarenteed  by   the   cbnstitutibn.    However, 
privacy  was  not   explicitly  mentioned   in   that   document 
because  it  was  less  a  problem  then  than  it  is  now.   Althiuah 
a  number  of  Constitutional  bases  for  the   riaht   tb   privacy 
exist   in   the   First.    Fourth,   Fifth,   and  Fourteenth 
Amendments,  the  interpretation  by  the  cburts  has  varied  frbm 
case   to   case.    However,  guidelines  have  been  developed  by 
the  courts  along  which  the   legal   implicatibns  of   privacy 
issues   can  be  evaluated. ( 14)   One  of  the  mbst  impbrtant  and 
far-reaching  of  these  is  the  concept  bf  the  chilling   effect 
that   invasions  of  privacy  tend  to  imPbse  uoon  the  exercise 
of  civil  liberties. 

The  chilling  effect,  as  defined  by  the  cburts.   is 
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the  tendency  of  individuals  to  viev  invasions  of  privacy* 
especi^ily  surveillance  activities,  as  a  threat  to  their 
exercise  of  free  speech  or  other  activities  explicitly 
protected  by  the  Constitution,  such  invasions  of  privacy 
jnay  assume  many  forms'.  It  is  the  indirect  effects  of  these 
Invasions  that  the  courts  have  viewed  as  unconstitutional. 

The  courts  have  developed  three  Priinarv  ouidlines 
by  vhich  a  given  chilling  effect  may  be  ruled 
unconstitutional  (3).   These  guidelines  are: 

A«  The,  severity  and  scope  of  the  alleged 
chiJtling  effect  bn  the  exercise  of  First  Amendment  freedoms. 

The  difficulty   of   proving   the  chilling   effect 

under   this  guidline  is  indicated  by  the  case  of  the  United 

tUblic  Workers  vs«  Mitchell; 

".•.the  flfinsLal  threat  of  Bossiblfi 
interference  with  those  appellants'  rights  by  the  Civil 
Service  commission  under  its... rules  dbes  not  make  a 
justiciable  case  or  controversy,  a  hypothetical  threat 
ts  not  enough," (3) 

Logically,  of  course,  the  chillina  effect  is  not 
dependent  upon  aCliiai  infringement  of  civil  liberties,  if 
an  individual  perceives  a  threat  cf  inf rinqement.  his 
activities  are  chilled  whether  or  not  such  a  threat  actually 
exists. 

B,  The  liKlihood  of  bpoortunities  to 
vindicate,  with  reasonable  promptness*  such  First  Amendment 
rights  as  may  be  infringed  upon.  The  cburts  seek  only  those 
cases  vhich  involve  reasonable  elaPsed  times  since  the 
violation  of  rights  occurred,  and  seem  to  imply   that   they 
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yant   to  establish  a  statute   of   limitations  for   such 
violations. 

•  C,  The  nature  of  the  issues,  which  a  full 
adjudication  of  the  merits  must  resolven  ana  the  need  for 
factual  referents  in  order  to  properly  define  and  narrow  the 
issues.  There  must  exist  a  clear  factual  relationship 
between  the  alleged  violation  of  privacy  and  the 
corresponding  First  Amendment  right. 

It  should  be  clear  from  this  brief  discussion  that 
these   guidelines   place    stringent    constraints    on    an 
Individual's   ability   to  legally  proye  invasion  of  privacv. - 
In  paragraphs  beiow,  we  will  show  that  advancing  technoibay 
Is  severly  compounding  these  difficulties, 

2.5  ihs.  sji£i£iiis  yisjiEflint 

Dr.  Westin's  definition  emphasizes  the  fact  that 
society  desires  to  enforce  its  norms  uoon  individual 
members,  Such  enforcement  is,  of  course,  inherent  in  the 
definition  of  "s^cietyT;  very  few  People  would  question  the 
necessity  of  such  enforcement  to  the  existence  of 
civilization. 

In  order  to  enforce  norms,  society  establishes  a 
variety  of  institutions  which  watch  over  individuals  and 
monitor"  their  behavior.  Thus  cumulative  social  pressure 
places  constraints  on  each  citizen's  privacy  decision.  We 
cannot  choose^  for  example,  to  drive  cars  at  excessive 
speeds,  or  to  burn  dowh  our  neighbor's  house. 

In   the   absense   of   explicit   leaal  and  semantic 
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definitions  of  Privacy,  however,  the  institutions  for  norm 
enforcement  are  not  themselves  sufficientiv  constrained  In 
their  actions,  institutions  may  therefore  exceed  the  bounds 
of  reason  quite  bY  accident  in  their  zeal  to  carry  out  their 
assigned  tasks.  Numerous  examples  of  such  excess  may  he 
found  in  the  press. 

The  seriousness  of  these  excesses  is  cbmoounded  by 
the  public's  lack  of  sophistication  in  making  the  privacy 
decision:  many  people  are  completely  unaware  of  the 
implications  for  information  dissemination  that  their 
actions  have,  obtaining  a  credit  card,  for  examole, 
represents  consent  to  release  quite  a  considerable  amount  of 
personal  information  to  a  system  whose  control  of  access  Is 
relatively  poor.  Such  information  as  salary,  bank  balances, 
and  marital  status  become  available  fbr  distribution. 
3,  IHIOgM^TlON  COLlECTXON;   TliS  B££J0]JS 

All  of  this  is  not  to  say,  of  course,  that  society 
has  no  right  to  collect  information  about  its  members. 
Civilization  could  not  exist  without  such  collection.  What 
has  been  lacking  is  a  framework  within  which  to  discuss  ithX 
data  xs   collected, 

There  are  three  main  forces  which  drive  men  to 
collect,  analyse,  and  disseminate  information.  These  areS 
1)  to  facilitate  the  management  function  of  society;  2)  to 
help  resolve  conflicts  of  individual's  ricrhts;  and  3)  to 
disseminate  informatioh  for  its  own  sake.  Most  invasions  of 
privacy  can  be  traced  to  the  fact  that  a   Particular   system 
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is  collecting  data  for  more  than  one  of  these  reasons,  or  is 

collecting  data  relevaht  to  one  reason  and   distributlno   it 
for  another, 

3.1  liiSi   n&Qa2£in£ni  £iilicli&n  q.1   2a£i£ty 

Perhaps  the  most  suceptible  to  abuse  is  the 
collection  of  data  to  facilitate  the  management  function  of 
society,  in  order  to  maintain  a  cbmplei  civilization,  a 
tremendous  coordinating  effort  must  be  undertaken  on  a 
continuing  basis,  For  example,  in  order  to  distribute 
paychecXs  to  employees  considerable  information,  includino 
his  earning  rate,  his  hours  of  wor'c,  his  social  security 
number,  his  home  address,  and  the  number  of  his  deductions 
must  be  known.  It  is  difficult  tb  Quarrel  with  the 
necessity  for  keeping  this  information. 

The  most  common  abuse  is  over-eXtension.  The 
collection  of  information  has  a  very  Powerful  driving  force 
inherent  within  itself  —  the  third  force  for  collection. 
Data  collection  systems,  if  left  alone,  will  often  collect 
data  far  beyond  their  true  needs  and  collection  will  become 
a  goal  in  itself  rather  than  a  means  tb  a  specific  end. 
Questions  such  as  "Taking  things  all  together*  would  you  say 
you  are  very  happy,  pretty  happy,  or  not  too  happy  these 
flays?",  when  asked  of  senior  citizens  by  the  Census  Bureau 
16),    are  clear  examples  of  over-extension, 

3.2  £finili£l£  Qi.   Indiildii&l  £iabt& 

The  second  driving  force  for  data  collection  is  to 
set  up  systems  fbr  resolving   conflicts  in   the  rights  of 
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individual  members  of  the  society.  For  examole,  it  is  clear 
that  driver's  licenses  are  necessary  in  order  to  prevent 
danflerous,  inconipetent,  and  reckless  persons  from  abusino 
other  people's  rights  to  use  our  roads  with  some  measure  of 
safety.  Another  good  example  is  the  FBI  fingerprint  file, 
whicn  is  tremendously  helpful  in  preventino  the  destruction 
of  life  and  property  by  criminal  elements. 

Perhaps  the  most  common  abuse  of  such  systems  is 
dependence  on  the  relative  political  Power  of  the  orouos 
whose  rights  are  in  conflict #  such  svstems  must  be 
constructed  carefully  to  avoid  the  Possibility  of  mloht. 
being  right,  to  cohstruct  such  a  system  clearlv  requires 
that  the  agent  maKing  the  final  judgement  not  be  Subject  to 
political  pressure, 
3,3  aissfimiaAtifin  icr  inl£EiDa.i.ifials  v^lue 

The  last  major  reason  fbr  the  collection  of 
information  is  the  inherent  value  of  infornatibn  in  its  own 
right,  The  common  expression  "Xnowledqe  is  power"  retains 
its  validity  in  the  fast  paced  and  hiohly  pblitlclred 
climate  of  our  society.  Perhaps  the  best  example  of  such  a 
system  is  education! 

In  systems  which  are  built  for  the  Purpose  of 
dissemination,  care  must  be  taKen  that  information  is  not 
inappropriately  disseminated.  For  example,  the  library 
should  not  open  its  files  of  user's  bbrrbwino  records  to 
examination  by  the  general  public. 

It  is   especially   important   that   systems  which 
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logically  exist  for  one  of  the  first  two  purposes  not  be 
allowed  to  disseminate  information  for  its  own  value.  such 
dissemination  is  almost  always  inappropriate.  For  examole. 
probation  records  are  maintained  in  order  to  resolve  the 
conflict  between  an  inSividual's  right  to  be  given  a  lighter 
sentence  and  society's  fight  to  be  protected  from  dangerous 
criminals.  To  release  such  records  tb  prospective  emplovers 
(for  either  money  or  political  favors)  is  an  illegitimate 
invasion  of  privacy, 

We  are  now  in  a  position  to  delineate  the  most 
important  aspects  of  the  privacy  decision  (see  Figure  ^^, 
On  the  one  hand,  there  are  society's  needs  for  information, 
and  on  the  other,  there  are  the  individual's  needs  for 
privacy,  The  data  collection. decision  must  be  a  tradeoff 
between  these  sets  of  heeds. 
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The  neans  by  which  information  on  individuals  Is 
coliected  are  numerous  and  varied;  they  rancre  front  very 
unsophisticated  to  highly  technical  methods. 

The  most  obvious  means  to  obtain  information  from 
people  is  simply  to  asK  them  questions,  SurPrisinglVi  very 
few  people  refuse  to  answer  questions  on  such  topics  as 
income,  sexual  behavior,  political  and  religious  beliefs, 
and  educational  background,  if  only  the  questions  appear  in 
gome  "legitimate"  form  (i.e.  questionnaires,  voter  opinion 
surveys,  and  the  like).  People  are  equally  villino  to - 
divUl9e  information  about  the  drinkinq  habits  and  marital 
behavior  of  their  neighbors.  It  is  clear  that  too  few 
fc)eople  question  the  validity  or  necessity  of  reauests  for 
information.  Simple  questioning  without  cbersion  or  pretext 
is  the  major  means  by  Which  invasion  of  Privacy  occurs. 

A  second,  and  less  direct,  technique  for  obtaininq 
Information  is  tb  search  readily  available  oublic  sources, 
such  as  town  records  and  published  information  includino 
books,  newspapers,  and  unofficial  reports  of  various 
organizations,  sometimes  this  information  must  be 
purchased;  the  internal  Revenue  Service,  for  example,  has 
had  a  " policy  of  selling  to  anyone  lists  of  all  persons  In 
the  u»s,  who  own  registered  firearms. 

The  third  method  of  information  collection  Is 
physical  and  psychological  surveillance.  This  involves  the 
use  of  aianpbwer   and,   at   times,   electronic   equipment   to 
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monitor  a  person's  activities. 

Of  Course,  the  flow  of  information  may  ao 
considerably  beyond  the  person  to  whom  it  is  first  released. 
When  existing  and  future  databan)ts  become  interconnected, 
one  of  the  most  important  sources  of  information  will  be 
other  databanks, 
5  ZZllLgl   1^2   IScJilJaifiGX      \ 

Technological  development  has  increaslnai'y 
important  ramifications  for  privacy;  the  raoid  advance  of 
science  and  technology  carries  with  it  a  hornet's  nest  of 
problems.  Perhaps  two  developments  have  most  striltinoiy 
demonstrated  the  conflict  between  privacy  and  technolbov  in 
the  United  states  --  sophisticated  electronic  communications 
equipment  and  the  high-speed  digital  computer. 
5 . 1  £fiIIliillial£&lli2DS  £aui£]i}£iii 

Electronic  communications  equipment  presents  a 
challenge  brimming  with  implications  for  Privacy.  The 
capability  for  electronic  bugging  and  surveillance  on  a 
massive  scale  haS  been  developed.  Moreover,  industrial 
espionage  in  the  U,e.  is  at  least  as  big  a  business  as 
government  domestic  intelligence  operations.  For  example,  a 
196/  study  performed  by  the  Saber  cbrooratlbn,  which 
specializes  in  anti-bugging  devices,  conservatively 
concludes  that  industrial  espionage  accounts  for  annual 
losses  of  more  than  three  billion  dollars.  (1) 

At  least  as  important  as  the  proliferation  of 
surveillance     devices    is    the    proliferation    of 
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teiecom.nunicatlons  equiment.  Our  abilUv  to  re-distrlbuto 
data  around  the  couhtry  at  high  speed  enables  us  to 
propagate  violations  of  privacy  far  and  vide  lono  before 
anyone  becomes  aware  of  the  problem.  Current  plans  for 
nationwide  integration  of  some  telecommunications  networks 
present  tremendous  privacy  problems  which  no  one  has  yet 
addressed. 
5,2  tiks.   camEiiist  ani  Etivaci 

But  buaging  devices  only  facilitate  the  collection 
of  rav  data.  The  most  powerful  device  vet  developed  for  the 
accumulation  and  processing  of  that  data  is  the  ^computer.  - 
However,  the  computer  itself  is  not  an  invader  of*  privacvJ 
it  is  only  an  aitiplifyihg  device  for  man's  ability  to  process 
data.  It  becomes  a  major  factor  in  the  Problem  by  virtue  of 
the  magnitude  of  that  amplification, 

consider,  for  example,  the  IBM  Svstera  360/195,  It 
is  capable  of  performing  on  the  order  of  twenty-five  million 
calculations  per  second.  In  terms  of  storaae  capacity,  the 
mass  storage  unit  marketed  by  Precision  Instrument  company 
of  Palo  Alto  (an  argon-laser  devicel  stbres  645,000,000  bits 
j>er  inch.  Thus  one  U800  foot  reel  of  computer  tape  couid 
contain  about  twenty  double-spaced  typewritten  paaes  on 
every  person  in  the  United  States,  File  retrieval  time  for 
such  a  system  would  be  less  than  four  minutes. 

The  greatest  progress  in  computerized  privacy 
protection  has  come  about  rather  indirectly  through  the 
advent   of   multiple-access   time   sharing   systems.    The 
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development  effort  for  these  systems  requires  protection  of 
one  user's  information  from  accidental  or  Purposeful  access 
by  other  users.  Considerable  effort  on  access  control 
systems  which  permit  controlled  sharing  of  resources  in  the 
multiple-access  environment  has  been  undertaken  by  &  variety 
of  research  projects  such  as  M.i.T.'s  Project  .  MAC. 
(U),(7),(8)  \ 

Partial  protection  is  Provided  in  many  time 
sharing  systems  by  the  requirement  that  the  user  identify 
himself  at  the  terminal.  Schemes  ranaing  from  simple 
passwords  to  signature  recognition  have  been  proposed  or 
implemented.  These  static  schemes  suffer  from  the  fact  that 
any  identification  must  be  converted  to  a  bit  oattern  for 
transmission  over  data  lines  to  the  computer;  thus  the 
user's  I,D.  may  be  had  simply  by  tapping  his  Phone  line  and 
recording  the  transmission,  A  more  effective  scheme,  in 
which  the  user's  Password  is  the  answer  t©  a  Computation 
performed  on  a  string  of  random  digits  supplied  by  the 
computer,  is  now  in  use  at  Project  MAC.  Since  the  user's 
password  is  different  at  every  session,  it  is  safe  from 
tappingi 

However*  tapping  of  data  lines  will  still  enable 
the  theft  of  transmissions  of  data,  A  number  of  effective 
schemes  for  encoding  and  decoding  transmissions  have  been 
developed,  but  nbne  are  in  widespread  use. 

Within  the  computer's  storage  svstem,  the  problem 
is  one  of  permitting  canltaliad  sharing  of  programs  and 
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information.  Access  control  schemes  vary  widely  in  their 
sophlsticaiton;  the  only  systems  which  offer  even  reasonable 
protection  are  inplemented  in  academic  computer  facilities. 
Perhaps  the  most  successful  scheme  to  date  is  that  employed 
by  Multics  at  project  MAC,  in  which  Protection  is  attained 
through  control  of  access  paths  to  information  couoled  with 
a  ring  structure  which  off*ers  the  abilitv  to  soecifv  the 
level  of  privileae  of  any  program  with  resPect  to  others  In 
the  system,  Eyen  this  structure,  however,  does  not  solve 
all  access  problems. 

Another  consideration  is  the  fact  that  the  same 
centralization  of  information  and  computing  oower  that  maltes 
time-sharing  systems  cost-effective  may  very  well  maice 
concentrated  efforts  to  break  the  access  control  system 
cost-effective.  Centralization  may  therefore  be  expected  to 
cause  an  increase  in  the  number  and  Persistence  of  attacks 
on  the  access  control  system;  its  integrity  becomes  a  very 
important  issue.. 
5,3  l££tlIl2lQSX  Ind  thS  CQilltS 

This  advancing  technology  is  raoidlv  destroying 
whatever  competence  the  courts  have  had  in  dealing  with 
privacy  Issues, 

The  main  problem  is  the  speed  with  which 
information  can  be  dispersed.  The  irreversible  damage  done 
by  illegitimate  dissemination  of  adverse  information, 
coupled  with  the  courts*  inherent  delays*  means  that 
preventive   measures   cannot   be   taken,  and  that  corrective 
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measures  would  conie  too  late. 

Moreover,  any  penalties  which  miaht  be  promulaated 
would  require  considerable  technical  knowledge  to  enforce. 
Given  the  present  techhical  sophistication  of  the  iudicial 
branch*  the  job  of  executing  the  sentence  would  necessarily 
fall  to  the  same  programmers  who  implemented  the  system  in 
the  first  place.  Such  dependence  upon  the  aobd  will  of  the 
guilty  clearly  is  no  solution  to  the  problem.  For  examole. 
the  contents  of  a  data  bank  which  has  been  ordered  destroyed 
might  veil  be  stored  on  microfilm  before  the  order  is 
carried  out, 

Presently  the  world  of  the  courts  and  the*  world  of 
data  processing  have  very  little  in  common.  Nb  satisfactory 
laws  exist  for  the  protection  of  Privacv  from  advancing 
technology.  Even  if  such  laws  are  Passed,  &  stupendous 
effort  will  be  required  to  bring  the  rest  of  the  legal 
systeni  into  the  computer  age. 

Having  examined  the  nature  of  the  problem  of 
privacy,  it  behobves  us  to  develbP  a  clear  analytical 
framework  for  viewing  individual  databanks.  The  obiective 
of  such  an  analysis  is  to  develop  criteria  fbr  the  design  of 
specific,  databanks.  The  analysis  assumes,  bf  course,  that 
careful  consideration  has  previously  been  given  to  the 
question  of  whether  a  databank  is  needed  at  allJ  a  data 
bank  which  does  not  serve  one  (and  stnll  one)  bf  the  three 
reasons  for  collecting- information  should  nbt  exist. 
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The  concepts  discussed  in  the  foUowina  caragraPhs 
and  the  relationship  among  them  are  illustrated  in  Fiqure  2. 


Vuoto    A.  i-MFcKtuAVn^A    '.       raw^cY     Lj^^os' 


fuo^e  2 . 
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6.1  £fiU£Sti£ii  £rii££ia. 

Unless  there  exists  the  possibility  of  a  chillino 
effect  on  civil  liberties,  the  collection  of  data  is  not  of 
itself  an  invasion  of  privacy.  The  majority  of  information 
is  collected  through  acceptable  channels  and  for  justifiable 
purposes.  Among  the  most  commonly  developed  databanks  are 
company  personnel  records,'*  national  census  data,  and 
industry  statistical  information.  Only  when  information  is 
collected  thrbUqh  inappropriate  channels,  is  disseminated 
to  unauthorized  persons  or  organizations,  or  is  utilized  for 
an  inappropriate  purpose  has  privacy  been  violated.  once 
the  decision  to  establish  a  data  bank  has  been  made,  the 
control  of  the  collection  and  distribution  of  information 
becomes  the  central  issue. 

Of  primary  importance  is  the  criteria  by  which 
data  concerning  an  individual  or  a  group  beconies  a  candidate 
for  entry  into  the  databank.  In  order  to  establish  a 
comprehensive  and  logical  set  of  criteria*  prior  thouoht 
roust  be  given  to  the  specific  goals  of  the  svstem.  If  the 
desired  output  can  be  stated  precisely  (and  iustified  on  the 
basis  of  the  rights  of  individuals  an^  groups  to  control 
their  own  privacy),  then  input  criteria  can  be  defined  and 
bounded  in  a  fashion  that  not  only  eliminates  the  oathefirio 
of  useless  data  and  promotes  efficient  system  design,  but 
also  prevents  unwanted  side  effects. 

Failure  to  clearly  define  the  bbiectives  of  the 
databank  is  a  contributory  factor  in  improper  collection. 
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Khen  a  failure  to  specify  objectives  occurs,,  any  Information 
Which  might  be  of  remote  relevance  at  some  time  in  the 
future  is  collected*  This  usually  results  in  the  collection 
of  considerable  unnecessary  information  and  in  a  potential 
threat  of  invasibn  of  privacy, 

6.2  lh.&   £ua.lilx  hi,   IniaLC&ii&a 

Once  reasonable  standards  have  been  established 
for  determining  what  data  is  to  be  sought  as  inout  to  the 
system*  it  is  necessary  to  set  up  procedures  for  contrbliina 
the  quality  of  that  information. 

Quality  control  has  tvo  aspects.   First,   the  - 
accuracy  of  input  data  must  be  controlled  as  it  is  'entered. 
In   a'  computerized  system,  this  might  involve  checlcing  punch 
cards  for  keypunching  errors. 

The  second  aspect  of  quality  control  concerns  the 
removal  of  information  from  the  file  when  it  becomes 
outdated.  Perhaps  information  related  to  individuals  rand 
corporations)  should  be  classified  like  radioactive  metals 
—  by  "half  liveS",  with  different  lengths  of  retention 
time  depending  on  the  nature  of  the  information. 

6.3  &&1&  AlldlXSXs 

The  next  important  consideration  is  the 
methodology  used  fbr  aggregating  raw  data  into  a  usable 
product,  The  collection  of  data  by  itself  produces  very 
little  in  the  way  of  Useful  managerial  information.  Data 
must  be  analysed  and  manipulated  into  a  usable  format;  data 
are  the  building  blocks  of  information.   The  methods  used  in 
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this  analysis  determine  precisely  the  content  of  the  output 
information.  Improper  methods  may  result  in  biased, 
rolsleadin-g,  or  false  information  being  transmitted  by  the 
system.  Such  information  may  well  constitute  an  Invasion  of 
privacy, 

6.4  i£££sa  caaltoi 

Given  a  system  which  is  able  to  provide  useful 
information,  it  is  necessary  to  carefuHv  control  access  to 
that  information,  Virtually  every  piece  of  information  is 
sensitive  to  some  degree  and  requires  protection  against 
unauthorized  usaqe.  Specific  rules  for  the  dissemination  of 
Information  which  consider  both  the  authority  and  *  need  to 
Know  of  any  Potential  user  must  be  established.  But  the 
promulgation  of  these  rules  must  be  accompanied  by 
procedures  for  enforcement, 

6.5  Xikt£E-a.aial2a.nli  Icatisf £ES 

A   further   problem  that  must  be  considered  is  the 

exchange  of  data  between  databanks,    First,   care   must   be 

taken   to  insure  the  propriety  of  such  exchanges.   Moreover. 

\ 
interchange  demands  verification   of,  the   accuracy   of   any 

transmitted   information   so   that   errors  will  not  be 

propagated, 

6.6  Ss^s.ls.1   ZllS.Lt& 

Finally,  the  social  effects  of  any  proposed 
information  system  must  be  considered,  Each  function  that 
the  system  is  to  perform  must  be  weighed  in  terms  of  its 
social   benefits   and   social   costs.    The   benefits  tnav  be 
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delineated  In  terms  o;E  the  driving  force  behind  the  system's 
establishment — win  the  system  in  fact  assist  in  the 
management  function  of  the  society;  will  it  helo  resolve 
conflicts  of  individual  rights;  or  vill  it  cause  progress 
through  the  distribution  of  knowledge. 

These  benefits  must  be  balanced  aoainst  the  social 
costs  of  the  System,  which  may  be  measured  in  terms  of  the 
individual's  loss  of  privacy,  the  resulting  degradation  of 
freedom  and  the  possible  chilling  effect  bn  the  exercise  of 
civil  liberties, 
7  LS.  lh.l^lkl,   SQLuXifiil  i^HE  IIS  SHQEICQuHisS 

Today  the  most  commonly  proposed  solution  to  the 
problem  of  privacy  is  simply  to  allow  individuals  access  to 
their  own  files  in  order  that  they  iniaht  correct  any 
inaccurate  information.  This  proposal  is  over-simplistic 
for  several  reasons. 

First,  the  idea  assumes  that  the  individual  is  the 
only  entity  which  might  be  harmed  by  an  invasion  of  privacy. 
This  is,  of  course,  not  the  case.  There  are  many  arbups  who 
have  been  harmed  by  the  illegitimate  release  of  information 
--  large  corporations,  draft-resistance  arbups,  pblitical 
groups,  and  the  Government  itself,  Althouoh  it  is  true  that 
consideration  of  individual  rights  must  talce  precedent  over 
consideration  bf  organizational  rights,  these  grbups 
ipresumably  have  some  right  to  privacy.  However. 
Constitutional  guarantees  are  even  less  well  defined  for 
organizations  than  for  individuals, 
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Second,  individual  access  assumes  that  the 
individual  is  necessarily  the  person  mbst  Qualified  to 
correct  his  own  record,  and  that  he  will  be  interested  in 
having  his  file  current  and  accurate,  A«ain#  this  is  a 
false  assumption  in  mahy  instances.  It  is  ridiculous  to 
think/  for  example,  that  a  person  should  be  able  to  chanoe 
his  medical  record  at  will.  Moreover,  in  the  case  of 
information  which  in  some  way  is  unfavorable*  it  will  never 
be  in  the  individual's  interest  to  have  correct  information 
in  his  file.  If  we  do  not  tr«st  a  small  oroup  of  people  to 
accurately  report  sensitive  information,  then  we  surely 
cannot  trust  everyone,  en  masse,  to  perform  this  function. 

The  most  important  shortcoming  of  this  solution  Is 
that  it  does  not  recognize  the  problem  of  conflicts  of 
privacy*  To  show  the  patient  his  medical  record  would 
compromise  the  doctor's  privacy;  to  show  the  student  his 
letters  of  recommendation  would  compromise  the  authors* 
rights  to  privacy,   clearly  giving  the  individual  access  to 

his  own  files  is  an  inadequate  solution  to  the  problem. 

1 

8,1  g££&£&ti£ii  fif  £&£i  icfiQ  Snini&n 

The  first  attempt  at  a  solution  to  the  problem  of 
conflicts  of  Privacy  might  be  to  draw  a  very  clear 
distinction  between  information  which  is  to  be  considered 
fact*  and  that  which  is  to  be  considered  opinion.  In  the 
medical  example,  it  would  be  possible  to  separate  the 
objectively  provable  facts  from  the  Physician's  opinions. 
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giving  patients  access  to  the  formeri  but  not  to  the  latter* 

record.   Unfortunately,  this  distinction   between   verified 

factual  information  and  interpreted  or  heresay  information 

is  not  drawn  in  many  detabanlcs.   Moreover*  even  if  it   were* 

there  would  still  remain  conflicts  of  privacvt 

8,2  21tl£i:  hlt&LIi?LS.il&   g&liiii&Q.^ 

Careful  consideration  should  be  given  to  Senator  Sam  J, 

Ervin's  proposal  to? 

"create  a  Federal  agency  wlth_  powers  to 
register  all  data  bank  operations,  military  ^and 
civilian^  to  demahd  justification  for  the  records  iceot 
and  to  enforce  a  citizen's  rioht  to  examine  and  to 
challenge  data  which  could  hurt  his  reputation,  even  , 
his  ability  to  earn  a  livelihood,  for  the  rest  of  his 
days, -(15)  * 

(See  also  (5)) 

The  investigative  powers  of  such  an  aaencv» 
however,  would  be  such  that  the  operations  of  that  agency 
MOMXAf  in  itself,  be  an  invasion  of  individual  and 
organizational  privacy.  As  a  result*  such  an  agency  would 
require  explicit  guidelines  directing  the  agencies  and 
databanks  for  which,  and  by  whom,  an  investigation  would  be 
performed.  Specific  criteria  for  the  evaluation  of 
databanks  would  b©  needed  to  enable  investigators  to  conform 
to  the  intentions  of  the  regulatory  agency.  An  additional 
problem  unique  to  this  proposal  is  the  determination*  for 
the  regulatory  aqency,  of  what  data  files  that  agency  itself 
would  Xeep  in  its  investigative  files.  The  entire  problem 
of  regulation  by  a  Federal  agency  is  complicated  eVen 
further  by  the  necessity  for  both  a  legislative  definition 
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of  privacy  and  a  national  consensus  as  to  the  extent  of  each 
citizens'  rights.  This  quite  possibly  is  a  question  that 
only  the  Supreme  Court  and  the  Congress  could  answer. 

An  alternate*  though  related,  solution  is  to 
establish  private  companies  specializing  in  the  review  and 
analysis  of  databani^s.  These  companies  would  perform  in  a 
manner  similar  to  Certified  Public  Accountant  firms,  in 
reviewing  a  databank  the  firm  would  need  to  determine:  A) 
the  needs  of  managerial  functions  in  the  brflanizationi  B) 
the  legal  basis  for.  individual  privacy;  C)  the  tradeoffs 
desired  between  privacy  and  society;  and  d)  technblbotcal 
factors, 

To  perform  objectively,  these  firms  would  have  to 
be  free  from  political  and  non-professional  pressure,  and 
from  involvement  in  the  special  interests  of  the  firm  whose 
databank  is  under  investigation.  The  necessity  for 
uniformity  and  Control  of  the  subjective  determinations  that 
would  be  required  if  such  firms  were  organized  implies 
legislation  either  at  the  national  or  state  level. 

The  complexity  of  the  problem  precludes  any  QuicK 
and  simple  solution.  Other  alternatives,  beyond  those 
discussed  here,  need  to  be  developed  and  studied  from  an 
cperatiojial  and  feasibility  viewpoint. 

9.  £USG£STXONS 

Every  individual  must  consider  the  central 
questions  of  privacy  which  determine  his  interaction  with 
society,    Byt  managers  have  an  even  more  complex  problem  In 
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veighlnj  the  advantages  and  disadvantages  of  decisions  to 
£fili££t  information.  The  complexity  of  the  oroblem  Is 
highlighted  by  the  decision  to  utilize  advanced  technoiooy 
and  the  numerous  tjrade'-offs  involved  in  such  a  decision. 

Some  oeneral  guidelines  may  be  Provided,  however. 
Xhey  are  valuable  both  to  the  manaoer  faced  with  an 
inforiuation-privacy  conflict/,  and  to  the  individual  citizen 
considering  the  central  questions  of  orivacv  in  a 
technologically  advanced  society.  These  Guidelines  can  be 
summarized  as  follows: 

A,  A  comprehensive  national  policy  is  needed. 
This  policy  should  only  approve  of  a  databank  if  it  serves  a 
legitimate  need  of  the  organization,  Moreover,  this  policy 
must  weigh  the  social  benefits  against  the  social  costs. 
There  are  three  identifiable  catagories  of  social  costs:  1) 
direct  costs  in  resources  to  the  organization;  2)  cost  due 
to  the  chilling  effect;  and  3)  cost  due  to  the  danger  of 
misuse,  six  issues  must  be  evaluated  in  weighing  these 
costs:  1)  the  criteria  for  inclusion  of  data  in  the  filei 
2)control  of  the  quality  of  the  information;  3)  control  of 
the  nature  of  data  processing  and  selection  of  the  data  to 
be  processed;  U)  control  of  access  to  the  files  and 
technological  questions  of  program  access;  5)  the  degree  of 
centralization  in  the  files;  and  6)  the  degree  to  which 
the  information  sYstem  is  interfaced  with  other  systems. 
In  terms  of  benefits,  it  should  be  noted  that  it  Is 
important  not  to  hinder  an  organization  in   the   fulfillment 
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of  its  legitimate  functions,  For  example,  the  Internal 
Bevenue  Service  should  not  be  prohibited  from  the  collection 
of  tax-related  financial  information  on  individuals  and 
organizationst 

B,  A  means  for  enforcement,  carried  to  the  lowest 
levels  of  affected  organizations,  is  required  as  an  intearal 
component  of  any  solution  to  the  Problems  of  privacv. 
Moreover^  legislation  is  required  to  establish  grounds  for 
legally  demonstrating  invasion  of  Privacy.  This 
legislation  should  l>e  designed  as  a  deterrent  to  the 
illegitimate  accumulation  of  information. 

C,  A  review  of  existing  databanks  and  information 
systems  should  be  undertaken  by  all  orsanizations 
maintaining  such  files  or  systems. 

However,  legislative  and  judicial  action  at  all 
levels  is  not  enough;  individual  citizens  must  be  made 
cognizant  of  the  issues  and  solutions  that  this  paper  raises 
for  consideration,  frue,  system  builders  must  be  educated 
in  the  variety  of  techhical  considerations  for  protection  of 
privacy  and  given  ihcentives  to  use  them.  Incentives  for 
further  research  should  also  be  provided.  But  the  ibb  of 
protecting  our  Privacy  lies  not  bniv  with  the  systems 
programmer  andvith  the  cohiputer  manufacturer;  it  lies  with 
us.  Only  by  increasing  the  sophistication  of  each  citizen 
In  matters  regarding  his  relationship  to  the  society  In 
which  he  lives  can  we  prevent  "freedom"  from  becbmina  an 
empty  word  in  America, 
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